Fighting Back against Spear Phishing Attacks with a $100K Prize

Spear phishing is a growing and costly problem for email users. Mainly targeting businesses, this form of attack—also sometimes called “boss phishing” or “CEO phishing”—masquerades as an email from someone higher up in the company.

Reported attacks have included highly sensitive requests like sending over confidential files, changing passwords, or transferring money into another account. Another type of email instructs the recipient to open the attachment or click on the link, which then installs a virus on the network. Attacks like these can cause long-term damage to a company, both financially and in terms of loyalty and brand trust. Unfortunately, they’re also highly effective in terms of what hackers hope to gain, as well as relatively easy to pull off. It only takes one employee to fall for a seemingly genuine email.

Facebook has been fighting back against this form of attack, and has now presented the fourth Internet Defense Prize, at the recent USENIX Security Conference, to a team that may have uncovered a way to tell the real emails from the fake, then block them before they can reach their target.

The team developed a standardized set of characteristics of genuine emails and spear phishing attempts. By analyzing more than 370 million emails sent over a period of years by thousands of employees, the team’s program correctly discovered six known spear phishing emails. In an interesting twist, the program also uncovered two emails that were spear phishing attacks but had not been caught.

Facebook has offered the prize each year and routinely incorporates the winners’ security findings into its own protocols in exchange for the $100,000 prize. The social media company has also offered $1 million in further funding to encourage original research based on the prize-winning work.

Until such time as there’s a perfected block against spear phishing, it’s up to businesses to stop this threat. That means training all employees on how to spot phishing emails of any kind, and instituting firm policies concerning clicking links, opening attachments, or downloading content, even on their personal devices while connected to the company network. More importantly, it is necessary to help employees understand that some requests from the boss shouldn’t be blindly followed; spear phishing works largely because of the “I say jump, you say how high” mentality. When employees understand that they are never to comply with sensitive requests without verbal confirmation, spear phishing can be less effective and employees will be more protected.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.